HEAD IN THE CLOUDS

HEAD IN THE CLOUDS

Public Policy Analysis & Opinion

By Kevin P. Hennosy

HEAD IN THE CLOUDS

NAIC moves forward with major reconstruction of data assets

The National Association of Insurance Commissioners (NAIC) is moving forward with a strategic overhaul of its technological capabilities. The NAIC calls the project “State Ahead” and plans to complete it in less than three years. In July 2018, the NAIC published a fiscal impact statement to seek industry comment.

The statement addressed only the first phase of a larger project. “The first phase will create the initial version of a data strategy; document data governance policies; and pilot the application of these policies for the Property/Casualty Financial Profile dataset. Future phases will continue to refine the data strategy and data governance policies as they are applied to additional data assets.”

This project does not rise to the level of “we choose to go to the moon” by the end of this decade, but it is an important initiative for insurance regulation and for the NAIC, a Delaware-chartered, tax-exempt corporation. If constructed as proposed, the new generation of NAIC data processing capabilities would permit effective and efficient regulation of the business of insurance—if state officials choose to engage in such activities.

If constructed as proposed, the new generation of NAIC data processing capabilities would permit effective and efficient regulation of the business of insurance—if state officials choose to engage in such activities.

An essential aspect of the project is the NAIC’s movement to and perfection of a cloud computing model. This approach forestalls the need for companies to build their computer infrastructures to meet any and all of their computing needs. A cloud computing model will allow companies to make temporary—sometimes instantaneous—use of other institutions’ computer infrastructures for specific purposes.

From the insurance perspective, cloud computing plays a similar role to reinsurance, which allows carriers to transfer specific risks without setting aside reserves while continuing to expand market share.

Of course, if something goes wrong with reinsurance or cloud computing, the entire marketplace might disintegrate. In both activities the primary actor should be very, very careful.

Fiscal impact

In late July the NAIC released descriptions of several categories of details associated with the project. The descriptions came in the form of financial requests, which the NAIC staff insists on referring to as “fiscals.”

The update to NAIC’s computing capabilities will make it easier for the organization and its membership to understand the data they have. Because the NAIC sells so much data to the financial sector, this understanding will expand to that sector.

It appears that NAIC will expand or reallocate staff resources to apply more expert oversight of data compiled by the organization and its shell company, the National Insurance Producer Registry (NIPR). Tied to this goal is an improvement of NAIC-NIPR data security, which is always good for a budget line in any organizational process.

The project will quietly establish national standards for insurance data. In a way, this goal traces its history to the formation of the insurance regulatory association that used the name NAIC, which terminated operations in 2000 when the current NAIC incorporated. As long ago as 1871, insurance regulators and industry advocates sought to nationalize financial data policies and definitions. Nationalization was always controversial because some companies and regulators enjoyed parochial dominance at the local or regional level. In 1871, the “nationalists” used the term “harmonization” to describe their efforts.

The NAIC staff also promises an “increased focus on member needs.” What would we expect them to say? In the case of NIPR, this promise extends to the insurance sector. The NIPR board of directors includes representation from insurance companies and producer groups. The fiscal impact statement recommends:

“Identifying and documenting NAIC and NIPR data assets and attributes will enhance the ability of the organizations to identify gaps and make recommendations regarding opportunities to improve the existing data and identify possible new sources of data if determined to be appropriate by the membership.”

The “new sources of data” element often proves controversial among insurance carriers. First, companies would prefer not to share data for regulatory purposes or that which could be purchased by competitors. Second, some insurers and trade groups habitually seek to deny the NAIC any asset that might deliver sales revenue: Starve the beast.

Budget numbers

The fiscal impact statement request-ed $225,000 in 2018, which the project managers would spend on consulting services. The request distributed that cost across the NAIC ($150,750) and NIPR ($74,250) budgets.

The NAIC retains Informatica, a third-party technology firm, to provide consulting services. Informatica is a 20-year-old company with offices in North and South America, Europe, and Asia. Among many areas of expertise, Informatica touts its ability to help clients construct a cloud infrastructure. According to the Informatica website, a cloud infrastructure “allows you to integrate, synchronize, and relate all data, applications, and processes—on premises or in any part of your multi-cloud environment.”

The fiscal impact statement reports that the NAIC uses Informatica for select services: “Informatica has many modules that support data governance, management, and quality. To avoid purchasing tools that contain unnecessary functionality, the NAIC has purchased only the Enterprise Data Catalog module that will be used to enter the business data glossary for the pilot metadata set.”

Still, the NAIC staff seems poised to expand its purchases of Informatica products and services as the need arises. “While additional modules may be identified as needed or desired to expand the application of the data governance rules, careful analysis will be done to ensure those tools are necessary,” according to the fiscal impact statement.

Security

The fiscal impact statement promised certain improvements to the NAIC’s data security operations but did not provide budget details. At that time the NAIC implied that a future fiscal impact statement will provide more detail.

“The data governance program, once implemented in the Enterprise Data Platform and Data Warehouse project, will allow NAIC and NIPR to more efficiently identify all data assets and asset attributes, such as the existence of PII data elements and confidentiality requirements, and to significantly improve the current handling of data sets by applying standardized processes and oversight of data stewardship.”

Well, that gives us all something to look forward to reading during the cold winter nights.

The vaguely cited “PII data elements” are “wicked important.” The acronym refers to personally identifiable information. PII data elements include, name, address, Social Security number or other identifying number or code, telephone number, and email address. The U.S. Department of Labor’s definition of PII data elements addresses information that an agency “intends to use to identify specific individuals in conjunction with other data elements, i.e., indirect identification. (These data elements may include a combination of gender, race, birth date, geographic indicator, and other descriptors).” But wait—there’s more! “Additionally, information permitting the physical or online contacting of a specific individual is the same as personally identifiable information.”

The NIPR collects and holds PII data elements in connection with its role in facilitating multi-state insurance licensing applications. The NAIC itself occasionally collects such data at the direction of federal agencies or Congress. For example, studies of the Medicare supplement insurance sector could extend to include PII data elements.

In the case of the Department of Labor, the agency takes a no-nonsense approach to the security its contractors provide for PII data elements. “The loss of PII can result in substantial harm to individuals, including identity theft or other fraudulent use of the information. Because DOL employees and contractors may have access to personal identifiable information concerning individuals and other sensitive data, we have a special responsibility to protect that information from loss and misuse.” If any DOL contractor experiences a breach of PII data elements security, the contractor must immediately report the failure.

This DOL example is applicable to the NAIC and NIPR because neither is a government entity. Both entities face the liability risks common to private sector contractors.

Business practice

The July 2018 fiscal impact statement gave observers a peek at what the State Ahead project will mean for NAIC staff resources. The new data strategy—national standards—will require the NAIC/NIPR to address human resources, organizational change, and best practices issues. None of these issues raised in the statement is accompanied by any details about what they will mean to NAIC processes.

Concerning human resources, the NAIC planners recognize that the staff will need training in some areas. “[S]taff will need to be trained, and organization-al changes may be required to support new data governance processes.”

Also, the statement reported, “There will need to be a strong change management process in place to ensure successful implementation of the data governance program and successful transition of staff to new processes.”

The topic of best practices was raised in the statement’s discussion of “data stewards.” “Internal staff from each business area will be asked to learn best practices from the vendor, document the data sets, and begin data entry into the catalog tool.”

Of course, if one wishes to understand what the NAIC and NIPR want to do with these new data processing capabilities, one needs to know more about the business practices that the NAIC and the NIPR will employ, and the NAIC does not provide much information along those lines. The fiscal impact statement contains the following overview:

“The data governance program, once implemented as part of the Enterprise Data Platform and Data Warehouse project outlined in a separate fiscal statement, will allow NAIC and NIPR to quickly and easily identify all data assets and asset attributes, such as the existence of personally identifiable information (PII) data elements and confidentiality requirements, to unify the handling of data sets through the use of standardized processes, and to ensure accountability of data oversight and management.”

This is a project worth keeping an eye on.

The author

Kevin P. Hennosy is an insurance writer who specializes in the history and politics of insurance regulation. He began his insurance career in the regulatory compliance office of Nationwide Insurance Cos. and then served as public affairs manager for the National Association of Insurance Commissioners (NAIC). Since leaving the NAIC staff, he has written extensively on insurance regulation and testified before the NAIC as a consumer advocate.